Page 199 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 199

Exam Essentials


               Understand the security implications of hiring new
               employees. To properly plan for security, you must have standards
               in place for job descriptions, job classification, work tasks, job

               responsibilities, preventing collusion, candidate screening,
               background checks, security clearances, employment agreements, and
               nondisclosure agreements. By deploying such mechanisms, you ensure
               that new hires are aware of the required security standards, thus
               protecting your organization’s assets.

               Be able to explain separation of duties. Separation of duties is
               the security concept of dividing critical, significant, sensitive work

               tasks among several individuals. By separating duties in this manner,
               you ensure that no one person can compromise system security.

               Understand the principle of least privilege. The principle of
               least privilege states that in a secured environment, users should be
               granted the minimum amount of access necessary for them to
               complete their required work tasks or job responsibilities. By limiting

               user access only to those items that they need to complete their work
               tasks, you limit the vulnerability of sensitive information.

               Know why job rotation and mandatory vacations are
               necessary. Job rotation serves two functions. It provides a type of
               knowledge redundancy, and moving personnel around reduces the
               risk of fraud, data modification, theft, sabotage, and misuse of
               information. Mandatory vacations of one to two weeks are used to

               audit and verify the work tasks and privileges of employees. This often
               results in easy detection of abuse, fraud, or negligence.

               Understand vendor, consultant, and contractor controls.
               Vendor, consultant, and contractor controls are used to define the
               levels of performance, expectation, compensation, and consequences
               for entities, persons, or organizations that are external to the primary
               organization. Often these controls are defined in a document or policy

               known as a service-level agreement (SLA).

               Be able to explain proper termination policies. A termination
   194   195   196   197   198   199   200   201   202   203   204